none
SCEP and NPS

    Question

  • Hello,

    Aim: Windows 10 devices, enrolled using intune, will get wifi, root and scep profiles. The permanent wifi will be to a Meraki Access Point which authenticates against my RADIUS server (NPS).

    At the moment it seems that all the profiles are deployed correctly, root CA's are on the devices trusted certs, the wifi profile is there and according to Intune (and the CA) the SCEP certificate has been issued... but question number 1:

    1. How can I check on the device that the SCEP certificate is on it?

    My only problem now is that when I try and connect to the Access Points SSID which authenticates against my NPS server I get a failure in that its expecting a certificate. If I check the NPS logs - I can see that an attempt is made to connect but rejected with event ID: 6273, reason code 8 (the specified user account does not exist).

    NPS is setup for EAP-TLS authentication (certiifcates only), NPS has a server certificate and all with trust to the chained root CA.

    Any pointers on where I may have gone wrong?

    Tuesday, May 14, 2019 7:49 PM

All replies

  • If you don’t have access to the physical device to check the certificate store (using Mmc), then on the certificate connector server there should be a log called NDESConnector_Date.svclog. You can see if it issued the certificate to the device. Check this link at the very bottom for how to view and open the log https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Configuring-and-Troubleshooting-PFX-PKCS/ba-p/516450?utm_source=dlvr.it&utm_medium=twitter
    Tuesday, May 14, 2019 8:59 PM
  • Hi, thanks for the reply.

    I have got access to the device.... but my understanding was scep certificates are saved to the TPM and are therefore not visible via mmc certificate snap-in?

    Wednesday, May 15, 2019 4:57 AM
  • Sorry, you're correct. Can you confirm in the log mentioned above that the certificate was handed out?
    Wednesday, May 15, 2019 5:45 AM
  • Hi Nick,

    I have checked that log and everything looks correct.

    I have also checked the CA and the certificate is "Issued".

    However, within Intune, under the SCEP profile --> Certificates. The certificate has a "certificate status" as None.

    Wednesday, May 15, 2019 8:42 AM
  • Wednesday, May 15, 2019 9:03 AM
  • Hi,

    Is it a user or device based cert? If it is device based, are the devices only AAD joined (not joined to local domain)? NPS is not able to authenticate AAD joined devices, since when autnentication is made, it queries AD for the computer object, if its not found the error "the specified user account does not exist" is returned. 

    If the above is the case, your option is to use user-based cert (since user accounts exists in AD) or a third-party NPS. 

    Wednesday, May 15, 2019 9:52 AM
  • That's not correct. TPMs store the private key, not the certificate and this is contingent upon what is chosen in the SCEP profile. See https://docs.microsoft.com/en-us/intune/certificates-scep-configure.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, May 15, 2019 4:06 PM
  • Let me try and explain in more detail -

    I'm using AAD for users and devices.

    However, my SCEP / NPS solution (and PKI) is completely separate to that on it's own local AD (on vm).

    During device enrolment the device gets the scep, root and wifi profiles and therefore the device gets:

    1. the ROOT cert in trusted certs (confirmed on device)

    2. Wifi profile (confirmed on device)

    3. SCEP certificate (confirmed that its issued and NDES logs suggest everything is ok with delivery, but unable to confirm in device).

    I then have a Meraki AP which is configured to authenticate against my RADIUS server (NPS , which is on same domain  as my SCEP / PKI Infratructure). 

    NPS is set up for EAP -TLS profiles.

    Therefore when the device tries to connect to the SSID on Meraki it should authenticate using the certificate issued by SCEP.

    Wednesday, May 15, 2019 6:49 PM
  • Jason - so do you think I should be seeing the public key in my personal certificates store?
    Wednesday, May 15, 2019 9:19 PM
  • Certificates contain public keys so yes, you should be seeing the cert. Which store are you checking? The Personal store of the local computer?

    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, May 15, 2019 9:27 PM
  • Well.... I checked both the user and local computer cert stores previously and there was nothing, however, having just checked I can now see them appearing... I guess I must of corrected something along the way.

    OK, so now my situation is:

    Using Device certificate (SCEP profile):

    Client error when attempting to connect to SSID - You need a certificate to connect.

    NPS error - event ID: 6273, reason code 8 (the specified user account does not exist)

    Using User certificate (SCEP profile):

    Client error when attempting to connect to SSID - Unable to connect to this network.

    NPS error - event ID: 6273, reason code 7 (the specified domain does not exist)

    I can understand this one as the user is on a different domain to the NPS server... but can't understand the device cert error.

    Thursday, May 16, 2019 8:53 AM